berbew | 854597e7f8fe31907d9309a81e2f810a228105b72f252991984a6aae037b1035

Analysis

max time kernel
78s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

854597e7f8fe31907d9309a81e2f810a228105b72f252991984a6aae037b1035N.exe
Size

96KB
MD5

48a599ce32b4f79f5db35f99970bfc40
SHA1

27638e1de30308ac1ddbd4042bcaf8c9d6dd3ae1
SHA256

854597e7f8fe31907d9309a81e2f810a228105b72f252991984a6aae037b1035
SHA512

2f18a9dd41c6e111f477ef3ba6ddc7269067cf2444cd76382d94dd13111920f17d7f759fd011b413d281516af77202542e79fbafa45687ff9f50302cddb3bf9f
SSDEEP

1536:TWpd19kYHNU6tG8B0C1bnWSeORILl5YJ2Ln7RZObZUUWaegPYAG:TWpr9kUNRs40OnWSZRcLnClUUWae9

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajmijmnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgcmbcih.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnnai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pghfnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pebpkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pleofj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmijmnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	854597e7f8fe31907d9309a81e2f810a228105b72f252991984a6aae037b1035N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnghel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adifpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qiioon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pebpkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgcmbcih.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 58 IoCs

pid	Process
2920	Pebpkk32.exe
3060	Pgcmbcih.exe
1156	Phcilf32.exe
2832	Pidfdofi.exe
2748	Ppnnai32.exe
3024	Pghfnc32.exe
2568	Pleofj32.exe
1864	Qcogbdkg.exe
2016	Qiioon32.exe
376	Qdncmgbj.exe
2052	Qeppdo32.exe
752	Qnghel32.exe
1240	Accqnc32.exe
1280	Ajmijmnn.exe
1816	Aojabdlf.exe
2268	Aaimopli.exe
1632	Akabgebj.exe
1724	Achjibcl.exe
900	Adifpk32.exe
960	Ahebaiac.exe
1520	Anbkipok.exe
2532	Aficjnpm.exe
1652	Adlcfjgh.exe
2032	Agjobffl.exe
2744	Abpcooea.exe
2212	Bgllgedi.exe
2808	Bbbpenco.exe
2708	Bdqlajbb.exe
2200	Bjmeiq32.exe
2724	Bmlael32.exe
2620	Bfdenafn.exe
1896	Bnknoogp.exe
1312	Bchfhfeh.exe
1648	Bgcbhd32.exe
1992	Bqlfaj32.exe
1252	Boogmgkl.exe
2868	Bmbgfkje.exe
1408	Coacbfii.exe
2368	Ccmpce32.exe
1132	Ciihklpj.exe
964	Cnfqccna.exe
1720	Cepipm32.exe
1880	Cileqlmg.exe
1768	Ckjamgmk.exe
2168	Cagienkb.exe
632	Ckmnbg32.exe
1912	Cjonncab.exe
2280	Cbffoabe.exe
2828	Caifjn32.exe
2564	Ceebklai.exe
2736	Cgcnghpl.exe
2552	Clojhf32.exe
2600	Calcpm32.exe
860	Cegoqlof.exe
872	Cgfkmgnj.exe
1400	Djdgic32.exe
2732	Danpemej.exe
2424	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2344	854597e7f8fe31907d9309a81e2f810a228105b72f252991984a6aae037b1035N.exe
2344	854597e7f8fe31907d9309a81e2f810a228105b72f252991984a6aae037b1035N.exe
2920	Pebpkk32.exe
2920	Pebpkk32.exe
3060	Pgcmbcih.exe
3060	Pgcmbcih.exe
1156	Phcilf32.exe
1156	Phcilf32.exe
2832	Pidfdofi.exe
2832	Pidfdofi.exe
2748	Ppnnai32.exe
2748	Ppnnai32.exe
3024	Pghfnc32.exe
3024	Pghfnc32.exe
2568	Pleofj32.exe
2568	Pleofj32.exe
1864	Qcogbdkg.exe
1864	Qcogbdkg.exe
2016	Qiioon32.exe
2016	Qiioon32.exe
376	Qdncmgbj.exe
376	Qdncmgbj.exe
2052	Qeppdo32.exe
2052	Qeppdo32.exe
752	Qnghel32.exe
752	Qnghel32.exe
1240	Accqnc32.exe
1240	Accqnc32.exe
1280	Ajmijmnn.exe
1280	Ajmijmnn.exe
1816	Aojabdlf.exe
1816	Aojabdlf.exe
2268	Aaimopli.exe
2268	Aaimopli.exe
1632	Akabgebj.exe
1632	Akabgebj.exe
1724	Achjibcl.exe
1724	Achjibcl.exe
900	Adifpk32.exe
900	Adifpk32.exe
960	Ahebaiac.exe
960	Ahebaiac.exe
1520	Anbkipok.exe
1520	Anbkipok.exe
2532	Aficjnpm.exe
2532	Aficjnpm.exe
1652	Adlcfjgh.exe
1652	Adlcfjgh.exe
2032	Agjobffl.exe
2032	Agjobffl.exe
2744	Abpcooea.exe
2744	Abpcooea.exe
2212	Bgllgedi.exe
2212	Bgllgedi.exe
2808	Bbbpenco.exe
2808	Bbbpenco.exe
2708	Bdqlajbb.exe
2708	Bdqlajbb.exe
2200	Bjmeiq32.exe
2200	Bjmeiq32.exe
2724	Bmlael32.exe
2724	Bmlael32.exe
2620	Bfdenafn.exe
2620	Bfdenafn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Phcilf32.exe	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Dkppib32.dll	Aojabdlf.exe
File created	C:\Windows\SysWOW64\Agjobffl.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Coacbfii.exe	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Pgcmbcih.exe	Pebpkk32.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Adpqglen.dll	Aaimopli.exe
File created	C:\Windows\SysWOW64\Achjibcl.exe	Akabgebj.exe
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	Bbbpenco.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Accqnc32.exe	Qnghel32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Jendoajo.dll	Adifpk32.exe
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	Anbkipok.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Pghfnc32.exe	Ppnnai32.exe
File created	C:\Windows\SysWOW64\Qiioon32.exe	Qcogbdkg.exe
File created	C:\Windows\SysWOW64\Hqjpab32.dll	Accqnc32.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Qcogbdkg.exe	Pleofj32.exe
File created	C:\Windows\SysWOW64\Cmfaflol.dll	Qcogbdkg.exe
File opened for modification	C:\Windows\SysWOW64\Anbkipok.exe	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Phcilf32.exe	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Bgllgedi.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Jcojqm32.dll	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Achjibcl.exe	Akabgebj.exe
File opened for modification	C:\Windows\SysWOW64\Aaimopli.exe	Aojabdlf.exe
File created	C:\Windows\SysWOW64\Nlbjim32.dll	Pghfnc32.exe
File created	C:\Windows\SysWOW64\Qcogbdkg.exe	Pleofj32.exe
File opened for modification	C:\Windows\SysWOW64\Qeppdo32.exe	Qdncmgbj.exe
File created	C:\Windows\SysWOW64\Anbkipok.exe	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Bgllgedi.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Pidfdofi.exe	Phcilf32.exe
File created	C:\Windows\SysWOW64\Aldhcb32.dll	Qiioon32.exe
File created	C:\Windows\SysWOW64\Khoqme32.dll	Ajmijmnn.exe
File opened for modification	C:\Windows\SysWOW64\Ahebaiac.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Aqcifjof.dll	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Agjobffl.exe
File opened for modification	C:\Windows\SysWOW64\Bbbpenco.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Aojabdlf.exe	Ajmijmnn.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Bbbpenco.exe
File opened for modification	C:\Windows\SysWOW64\Bnknoogp.exe	Bfdenafn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
448	2424	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcilf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pebpkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pghfnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnnai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	854597e7f8fe31907d9309a81e2f810a228105b72f252991984a6aae037b1035N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiioon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmijmnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgcmbcih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll"	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldhcb32.dll"	Qiioon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anbkipok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblpbgn.dll"	Pleofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcojqm32.dll"	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jendoajo.dll"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjobffl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbjim32.dll"	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfokakc.dll"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pleofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	854597e7f8fe31907d9309a81e2f810a228105b72f252991984a6aae037b1035N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhiejpim.dll"	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achjibcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2920	2344	854597e7f8fe31907d9309a81e2f810a228105b72f252991984a6aae037b1035N.exe	31
PID 2344 wrote to memory of 2920	2344	854597e7f8fe31907d9309a81e2f810a228105b72f252991984a6aae037b1035N.exe	31
PID 2344 wrote to memory of 2920	2344	854597e7f8fe31907d9309a81e2f810a228105b72f252991984a6aae037b1035N.exe	31
PID 2344 wrote to memory of 2920	2344	854597e7f8fe31907d9309a81e2f810a228105b72f252991984a6aae037b1035N.exe	31
PID 2920 wrote to memory of 3060	2920	Pebpkk32.exe	32
PID 2920 wrote to memory of 3060	2920	Pebpkk32.exe	32
PID 2920 wrote to memory of 3060	2920	Pebpkk32.exe	32
PID 2920 wrote to memory of 3060	2920	Pebpkk32.exe	32
PID 3060 wrote to memory of 1156	3060	Pgcmbcih.exe	33
PID 3060 wrote to memory of 1156	3060	Pgcmbcih.exe	33
PID 3060 wrote to memory of 1156	3060	Pgcmbcih.exe	33
PID 3060 wrote to memory of 1156	3060	Pgcmbcih.exe	33
PID 1156 wrote to memory of 2832	1156	Phcilf32.exe	34
PID 1156 wrote to memory of 2832	1156	Phcilf32.exe	34
PID 1156 wrote to memory of 2832	1156	Phcilf32.exe	34
PID 1156 wrote to memory of 2832	1156	Phcilf32.exe	34
PID 2832 wrote to memory of 2748	2832	Pidfdofi.exe	35
PID 2832 wrote to memory of 2748	2832	Pidfdofi.exe	35
PID 2832 wrote to memory of 2748	2832	Pidfdofi.exe	35
PID 2832 wrote to memory of 2748	2832	Pidfdofi.exe	35
PID 2748 wrote to memory of 3024	2748	Ppnnai32.exe	36
PID 2748 wrote to memory of 3024	2748	Ppnnai32.exe	36
PID 2748 wrote to memory of 3024	2748	Ppnnai32.exe	36
PID 2748 wrote to memory of 3024	2748	Ppnnai32.exe	36
PID 3024 wrote to memory of 2568	3024	Pghfnc32.exe	37
PID 3024 wrote to memory of 2568	3024	Pghfnc32.exe	37
PID 3024 wrote to memory of 2568	3024	Pghfnc32.exe	37
PID 3024 wrote to memory of 2568	3024	Pghfnc32.exe	37
PID 2568 wrote to memory of 1864	2568	Pleofj32.exe	38
PID 2568 wrote to memory of 1864	2568	Pleofj32.exe	38
PID 2568 wrote to memory of 1864	2568	Pleofj32.exe	38
PID 2568 wrote to memory of 1864	2568	Pleofj32.exe	38
PID 1864 wrote to memory of 2016	1864	Qcogbdkg.exe	39
PID 1864 wrote to memory of 2016	1864	Qcogbdkg.exe	39
PID 1864 wrote to memory of 2016	1864	Qcogbdkg.exe	39
PID 1864 wrote to memory of 2016	1864	Qcogbdkg.exe	39
PID 2016 wrote to memory of 376	2016	Qiioon32.exe	40
PID 2016 wrote to memory of 376	2016	Qiioon32.exe	40
PID 2016 wrote to memory of 376	2016	Qiioon32.exe	40
PID 2016 wrote to memory of 376	2016	Qiioon32.exe	40
PID 376 wrote to memory of 2052	376	Qdncmgbj.exe	41
PID 376 wrote to memory of 2052	376	Qdncmgbj.exe	41
PID 376 wrote to memory of 2052	376	Qdncmgbj.exe	41
PID 376 wrote to memory of 2052	376	Qdncmgbj.exe	41
PID 2052 wrote to memory of 752	2052	Qeppdo32.exe	42
PID 2052 wrote to memory of 752	2052	Qeppdo32.exe	42
PID 2052 wrote to memory of 752	2052	Qeppdo32.exe	42
PID 2052 wrote to memory of 752	2052	Qeppdo32.exe	42
PID 752 wrote to memory of 1240	752	Qnghel32.exe	43
PID 752 wrote to memory of 1240	752	Qnghel32.exe	43
PID 752 wrote to memory of 1240	752	Qnghel32.exe	43
PID 752 wrote to memory of 1240	752	Qnghel32.exe	43
PID 1240 wrote to memory of 1280	1240	Accqnc32.exe	44
PID 1240 wrote to memory of 1280	1240	Accqnc32.exe	44
PID 1240 wrote to memory of 1280	1240	Accqnc32.exe	44
PID 1240 wrote to memory of 1280	1240	Accqnc32.exe	44
PID 1280 wrote to memory of 1816	1280	Ajmijmnn.exe	45
PID 1280 wrote to memory of 1816	1280	Ajmijmnn.exe	45
PID 1280 wrote to memory of 1816	1280	Ajmijmnn.exe	45
PID 1280 wrote to memory of 1816	1280	Ajmijmnn.exe	45
PID 1816 wrote to memory of 2268	1816	Aojabdlf.exe	46
PID 1816 wrote to memory of 2268	1816	Aojabdlf.exe	46
PID 1816 wrote to memory of 2268	1816	Aojabdlf.exe	46
PID 1816 wrote to memory of 2268	1816	Aojabdlf.exe	46

C:\Users\Admin\AppData\Local\Temp\854597e7f8fe31907d9309a81e2f810a228105b72f252991984a6aae037b1035N.exe
"C:\Users\Admin\AppData\Local\Temp\854597e7f8fe31907d9309a81e2f810a228105b72f252991984a6aae037b1035N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\Pebpkk32.exe
  C:\Windows\system32\Pebpkk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\Pgcmbcih.exe
    C:\Windows\system32\Pgcmbcih.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\Phcilf32.exe
      C:\Windows\system32\Phcilf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\Windows\SysWOW64\Ppnnai32.exe
        
        C:\Windows\system32\Ppnnai32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Pghfnc32.exe
        
        C:\Windows\system32\Pghfnc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Pleofj32.exe
        
        C:\Windows\system32\Pleofj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Qiioon32.exe
        
        C:\Windows\system32\Qiioon32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 144
        60⤵
        Program crash
        
        PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
96KB

MD5
6df21f327a1c47a39a0abf40b11d2597

SHA1
362936a91f90edbd1ae457af314f9e5eaa76662d

SHA256
6ccc104562b7813e19bb6323c34019d0e5c6e69b8a109877d8d05e3b1b2305b8

SHA512
aa053329a742a933559073360f340fc3a7a280b98cf0c4a450f082d23224a0f798d95775ad011a44c3ef5c8fb4e10c823764b2174ae422087ee5ea4045407123

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
96KB

MD5
945a878e6cdc837aa55e6beb0ab9e75b

SHA1
845004043ea5eb4ebec2794d910e65a434a40237

SHA256
21ee6fe3f0f773e6e0c5f7cab1ec592c9abb63d7b059050ece109121aa1b566f

SHA512
af2facc16f373be0369ff2ac1ba99f35e03f6f9693d12b987339103e220fd3583676cab4e27becb2a4a86a88ab97ced251f2bb8628d18af12f7415f226c8240e

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
96KB

MD5
4bb265c1de018f625252e827e44c3ff0

SHA1
c9f04308d53cceaa463730ae091dc597f3aa1f79

SHA256
69daa05ead2572e9ec7ba40c756c409a9ea258bab26ae03c87928d7a05f7092f

SHA512
8c97323f76feb842e3f877fcde9c2e56d803c4b45a2ca7f7f3ddaaf7401c76152bac5dddfe3379360850eb7a77cc30e5558b4c89cd41ac5840a311e0a56776bf

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
96KB

MD5
0f1f0dcd716d018e703dc1d554bbb0d6

SHA1
b86a8bec9d5a657b9983411ed6212600d768e42e

SHA256
a6d158bd849136ca6c2b13d71ee181d1dc93cfa9820fe7e7de615aeb04facba9

SHA512
9c1721077642d9e5f87e0f36254e6c9e4198c2c3a068bcc22f2d4d87dbd66703eb54b8daf432e4e86f0756fbe4b37e08e76557f0cca654cd4af45fbd083df0d1

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
96KB

MD5
e0d967a6cf514c89baf64d31d70fc559

SHA1
8b71e053eae3d11fdd8cfb05330d78fc2d9fe811

SHA256
41e13fa45c3bb006e973130eda56df665c9a3be8fa563add24f41a08c55c1257

SHA512
deafe6bce1179ef12b3b2f615d930d0b9660b9ec156ad89f095f76bb7c962a8bbdbce6a9611e2fadf08d345e7363e6329535450aa39bfa8f82f00ecda1ac76cd

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
96KB

MD5
6a78b17827399920e07d84ec9456450f

SHA1
63d5ae38007252e2154998bd3d38c7032a11b09b

SHA256
228a7c9aedfa258470e4b968ab448fbbacca159f2ba4be9857d6844a223b41dd

SHA512
1e7ba88280512d76d6b713bfe00aa6545374eeb93b3781f64745aa4c7fc62b8b009805743c90a0b5ae94ad7a57d63a3118dbf8f80275f2042abea7f12ec26173

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
96KB

MD5
aa1cc08bcf1e6bc097377db4ad2a3f2f

SHA1
be77635afca5beca053305dba5ff6686337d00a9

SHA256
0615aa2b25b4d9fad58bab6e3455313440ce40cf963a9d7c14e1934dbca31b39

SHA512
c574213653a78ee660a895f4ee2e4b85c4f1c25dacb80714ec9c99bf2d269596416bc608772c91210317d9ac96d31bd9ba150babd2af2df1e432351eb1d2c8ae

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
96KB

MD5
158cd16899eeb8104116118fd765ff0d

SHA1
d5f548294557bf955f5ad26eeed57cdc1ccc08f6

SHA256
9457ac58c1c4406cddfb95c7b64bc020fe0554a1bed6b0e0c8099a01b5f0e756

SHA512
9dbd8fae3cbfe7da547dd682a38ae3eaca32e4357a8a0aa087b41be361c5dbc3461f96948eb0d9d125bdfbdd4c979aec7d0c5edae0d659b28f979a09e8d00820

Download Submit
C:\Windows\SysWOW64\Akabgebj.exe

Filesize
96KB

MD5
3b804c7dee5b495819e13ca91fbff6c2

SHA1
5fc75c7efa538d8b18281792191dffb21efec61e

SHA256
11b871c42bd00a3f494c027d90e3396ab99708e0828dabdf129565979b56f810

SHA512
aa2ba9dba12972c9e43a1877b52153997bc0198cc80c06b378f06811382f8f0b3086668209c273d7e78f213b14041ae0db335aac729a6681883b1e468bce2ec4

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
96KB

MD5
3f16b11bee2d091f47f88a3088fe9ff9

SHA1
4c2a77abe47328515b114871b8d789dfab51052f

SHA256
dfa3eb5ce3cd3990de915feee9c3268100a4635ba83975553b1a9ca84e00db3e

SHA512
a9e4dc3d9f6f432f21d4ec0f4e40a600da0dc105581f9265daf828321896d2e59e7bc3f67f63f5e1c7f50674f7c789ae1d30f4e251fe9af4ea7657c71918f863

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
96KB

MD5
29f0e2ea5d8bcbfec02c3acaf40cf76e

SHA1
9e7552e2d80ab1d9cb4123b5c7c80981e2f6dd86

SHA256
2b4372b3be84c559f57c3253afd2f241dd3e89b94b9dd0afa2630a9efaa86a4a

SHA512
c34bb135532abbc7957c63adc0785c851e67c22e1b1d6d912986d54fbb003f4ac51a33343285f0b4ab8ab0b12c217170cf32b8f69cfba3244b0c5ad5dbde99e3

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
96KB

MD5
6c0014de2318198c624dbf6707d19e8f

SHA1
d05091e259902dcc5c14cece09f91b871013060f

SHA256
86c8ecfb5b740ba5ff097693a8d733e86ba66804b554e9326bb1e16ff21a8847

SHA512
acd52675ad122b91461b981b1e411bc263a376cbe64ba8fd3803fe1b0a5f3caba5f938b22fd118651970a518525836dc0f3a209f204338151483c07d98bd7aa3

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
96KB

MD5
b68163571ac228e847e28300ccfe9056

SHA1
dd3692f5bf213f9f41139e4e528f62641be32da1

SHA256
e39ace74f1648f4e6ad309f8facaef1d7241f1e82f01edfe1cf3a63c35a4b01c

SHA512
4ed698d3dca6ecb220d5455d44c651958b8a34c974f357bacc5f8a3e9bb8caa9ec5dd451ad99ab68cd9c9e28a2a76c2e5e7b735080f30579a46bd700434923ee

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
96KB

MD5
653754eb397cf6f278abd886a35e45d2

SHA1
44833ddd9077167fd8e5912f50e06a2f8041440c

SHA256
bcda2ab5d99f39d52f70b50f6e63b68d4bb3a8627d18bfe91dac8b76e97faa90

SHA512
0f2b4394eef986d6656005723b63b55c2f944c7223c24059e7dba8a0f229f0946c3f7534aee5b504800d85e45751c60f6854a782bd3c83cbe1312923e207ba87

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
96KB

MD5
7f6fe7bb8569b9f52b7ec91284e157b5

SHA1
792c440e534cd9a06b0d8d00f5624e087de41b04

SHA256
5ad2f6b1af0abeb89d55251211560754a61f8ff012406cc4839e76279d679f15

SHA512
6ae888414b3e24b95e1c4ada96cf99e87bd6e1a9fca56e93df1ff830b61c299de6ff981528fcb399e4a0a074153133d1d43246edf6fc810158e5ce31610f89d3

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
96KB

MD5
bc638a151b41fb7be4bc37e97d6f93e8

SHA1
fd37b1c3508d95e926e2187c5c9b68f4fa4f28f1

SHA256
03c8b35f374b38f9538e740a4e14a07f724df863013be4b28fcc7a21f258a426

SHA512
2c23412f4eb788668d196d94f638c02da6cdfde5e6f717f24954cd7abbd94f0f552f67420c96c02027f12fcac3052ef34b5c4bf7b9e82553102b8ef02e30b625

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
96KB

MD5
4a48d915be840fe20033f8baa38a5544

SHA1
42028e4470e275cdb81f22acb3c52f300825731d

SHA256
7bc4425192f4cccc74b7c056d0c558bcd3db2b2c59f6b14ca5257c36c26035e7

SHA512
d1ca0274148597293bc9ab998213ea18ba8158f3c8ffb5f18dfc1c3d73fafb8320e85e565b9071bf07dfb413cbcb168aa728157f291a9e34fec77bfc0207e9bb

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
96KB

MD5
06f21af26d4544781ba9d0f976eeea79

SHA1
491d9276fa87d2001d70f1a2e719fc57855cb3a6

SHA256
69f6970dd57f54c86296ac151f753c1078c19e7971405674bd5401c3e01ed06e

SHA512
b97c4da97b675b36d7ea00e2e0b461430e665e63f82ae041831156d2e5c558d623efa03963973ad26a5adaa4214d22b827195672644d80c7dc9dd8752eaa25f3

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
96KB

MD5
018b5bd7c9a15b890ac67f44c634f5e5

SHA1
a3029529d053c42ffd6f058cd4a14833aad2bc60

SHA256
17f27515dc8bf8a7fbfdc88955072bf3e2e27b060cae733ece5e007452b2aa07

SHA512
2360cd136ece3a3e41c1a57dd96276c902700c6c1bfb597e717c72e925dfcae69a1a5002d443a9ddb55e9afefdcf33ed97261dd5999263dbac771cdff400d281

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
96KB

MD5
b3917a89acba2576dc418502f677daa5

SHA1
0c81c663588a9d9586b2ac2b834caef5924f4556

SHA256
bdcde3fd0b487f57cef544c6b99cb3288f95f6498f6d7d5fdf0ab4c2eff6ebd1

SHA512
20c93bf85390a0047404811f64345a0ea07b09795bd95d58e7ab0c0101338d7a8e9ca20796fb8036904630558ba5ed5e47829c489b163830784d3d73864b3cc2

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
96KB

MD5
a7c7069c500e7bfcd0f2d2afe3e436c4

SHA1
3e14add90e083efd28e45efc7e0f4bf0203282f2

SHA256
b500f2ebfd8357a53ad9a02905011ccefdf093afbbffb01f8d171ce02e532785

SHA512
83054e8c8ee3d68040a034a43362d3299b1ea44f2b5a965689a4deaec8047a9d46d6958e1db7b91a98533b1272bafa6c711eea0c0aeb2b5495a518bbab0eb975

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
96KB

MD5
0f3297f4dcbbdc739e9148c4c7ae1d7e

SHA1
c8a090981e379dcf4bd53fef0c048080d8ca12e5

SHA256
b86956fd74b31da6e082a3555a554f5a296ed9f702a9413145dce0e2d5bbfd1c

SHA512
677deebd5f3b377a8cb2361c4bdf20ca9898a9457651c504dc768842ba7fecf532e8a74b6199137084a538876f3619819b66df5ce6d459a3157e75b6f4265b64

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
96KB

MD5
42e2973b66b0edd9bd36c8240eccd8ee

SHA1
a4ac36ccaaf5c75422fbb1d5eb85afb5dc24bd95

SHA256
08cf4a0248ef0439a1503706478601b96bf5d29a02d735e1fa85e5211eaae1e7

SHA512
b41ee6d807ace339672044a45092a8e683eafba5e0bc6efa1c22888b773d8a582f6c5755713a46d8d06864424b860945eb6882befdb13e01d7a6b8dabb3c022a

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
96KB

MD5
d3d0278eab5fc4d0cd1f139904ed080d

SHA1
ed798fcfe9fbec46e7e892e599f2b346b319cf42

SHA256
bc3284927bd645fae00aab581445b79c05ce936a1eb244f0d09f44bf45df1e2f

SHA512
fbba5883cda9aefb1d542381ee8e494f7458d59a7fff18a97988742f1b6ca33437676e0f0935013b2a807da34825191cd4ab655ff93ae6e41e9cf222efb4b2c6

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
96KB

MD5
cdfae1e2fa51a9e073cd139a44b9fe83

SHA1
77f1b8b222810d42d0f01250419f935c79939e5d

SHA256
6b2062f2f34650dac1b88132939ece6ff1e7abc048781b6e723e6f2b16221fd6

SHA512
9e5cf0d681d02d99fe2ab0c4e9094a23bdfe0c18b7cdbb58b303b18eb7212987f9f3d08abf11491f2f3bf7e749bcba41c875d89d58fe9bf83149956ef88e051e

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
96KB

MD5
8c3fe06baf84a3d850c04e2b77ac78cd

SHA1
0f6ff911e34e1af83f5b2b561e1fbb9944e21451

SHA256
7ee823a4fed6a7e4e34b27fab3e254bf393980f4398ae4cbedd8e4a1fee48523

SHA512
d7266d24241680250c4f427103c0c6e2ed7e9df22e09cc6dcd3e0229ed87b8f563de4b88e377ff63558dd5dfbe78e495bc9afe5622c5e310a7c88cd63974e7d1

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
96KB

MD5
317d3d3b2347f74da18cc46904d8d91f

SHA1
5090edb845dfe389b179f9a9763a1e5b13b40c35

SHA256
9993f07a69b6a4a6d2520cd81f86f6a957cc66dc3734522bad74ae86b85f1d6b

SHA512
f0ee77d03a45d90211f9d5aa9e98e3a792d9ff51ecfe8078dbcca2352aa4c073f22a68fa73401fec109604af3b91604dd24022d4ccb67c129aeec18e13d2f0a5

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
96KB

MD5
574908e11f3811c0c29840e8ffd638ff

SHA1
6d773a41ee05e474ffc1b49dfbb2a2eac5d175ee

SHA256
8d9d319196772d92079d8ca03727dc0aed3dbd7525e2d4c6d53213b92510e8c6

SHA512
4c2b633cb35e3e986afaab2bd36c3e6cda24dd49647bf98629a54d9977e5e9af958809e6bc740bfb252f37292d22b105f1bcdca665eb65c4de676c918ea93e13

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
96KB

MD5
385f5fc1c8a85055a30b60bc460e92e1

SHA1
4ce34b6844db1faba41d0c0c56d2652dd5d8ede8

SHA256
ab426cc9211851a2409ab375ab6f889be79826ce77ac35e192349b5842122bf8

SHA512
4a2f138b99d7d41d3eec075ad95abf27c038a293076788b1abb8720175e56c6aaa37b066f809c32f2921936d885917c82a32a2d4bd015116d1c81f4ef071dc77

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
96KB

MD5
e4e57ce8d4e3840068087fa4db6f0765

SHA1
0a70dd5493d5364980152d5c3225d475eed7a019

SHA256
657d7737e038e1e24835c0b6279523e10a928b79d74936e4939139cd7bb4373e

SHA512
5484b982d918b4c33cb5919e8288401514cd20f4951a37c115e358eaf1d5d4dfa62186e179da9ecd18954fd5e3b53a5b29e960d4a4b1e9629bb5fe25cc4b25f1

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
96KB

MD5
5c48542911fd58b3ee6b5ecc06f5f63e

SHA1
184434a6dc84515b1902c1788a326c11f3e70f51

SHA256
398356888dcf64de8781761d8bca89647b3500299c035a385533033eb1e712ac

SHA512
ec095f3ad8955a02d17ff7fc785ea1470f396031b3732837f540b30db629b2f12bc813c8c827ba8fd4bb7c4a0b3e0f7cfbd59a6ec2a9cd80c6fd3ceafaa17f7f

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
96KB

MD5
62d061256673a1c8e5ada0f29383d952

SHA1
bb124d8aa8b7fa595d847ef79ee150f4eb66d13d

SHA256
513b3d13a0c1a661a9f48d494d2e4600ad0bed59dfe82a8b4e9bf642f7fdc8d0

SHA512
2478acb756f309f60fb456bb2830dc1f1bd9454ae996b508e912560dc28509358c3332debbc3c76424ce16fdffc9ec8aeddba1aeb8adb0054cc8048a714a6ea0

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
96KB

MD5
1ffe737437ae6e7e9d4435c0355f9df3

SHA1
0b352e336587c44e23198b2b1be1cb802101c5f5

SHA256
06175e463987d13d931925d76dae5feee737a8e2b4956813cdf48629ef4ac8bc

SHA512
8dea4dc9c7afeceab08d89ed571df556b8138586235bbe1015ebb2a71141d2c0e59b6c834560b2cb088ae41ffdf20324191bd7054e0c294ab480f5275aa68cfe

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
96KB

MD5
1be63d833a9b8d90e288a3530bb6d79a

SHA1
3a96970051dd562730c5835e39b3c183c5a3b874

SHA256
486fc10f549a1f2c321cf3095b17c1eb3a643306281f0521550de447a9393462

SHA512
b56ad0f9cae60547782c8519ee89c8f75ee6d376c0895fefa2d25b37661f1b1dbe5fbc964e404ea13a301b74e92cec70efa376ae002f25421e03def6b8c0a6b8

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
96KB

MD5
bd8725fb581104e7174723a3442ef392

SHA1
13067b11ae17f11d19c2bd3f6892bc17f0f12b17

SHA256
62e768fd71950951b1018cbe305648f104071c38633eb8bb1f93c5ffbbbc60c0

SHA512
2f25ebd79423b689e60335bf21060b2ff9dd57ea3ec07bff46ea6e83252603a2dc22566a8aa29e759b8b1a3e7f4c2126233e4d9d807d393a4b9c0bb85bea5430

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
96KB

MD5
bebbe79cf91c6db3f4755d92addae0ea

SHA1
2d89bcb31e0ae3222c07cb3ca62af89411a460f6

SHA256
52ac9ac6b42f6d9a76b001b0c10d04ce2f910396b6307e20ef410bdf72121fe3

SHA512
be858ffa8affaa2000da932b22b0be8ce9279ed588b2b22eec48ccc717fe2b229cbe1166f93ccf00d870eae8e51f3b9e3dab7c0ba8e3f42bbfb90d67cedcf663

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
96KB

MD5
bdec80bd5e4ed3efdd7cafbad70372d4

SHA1
f106f1d270c36167106ad1fccb914b65429663ab

SHA256
382ba7f4d8d00edba38d82825aef8bcaf38fede1d2f87825ebfe451abd823e9a

SHA512
463d4133c4337c70105960466b43dc3127a1f1e2334640438031b6c051bddec6407130119f9f1b9c2dfb826ada785f663810a9e42fa49732bfb10f50f757ee8c

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
96KB

MD5
5594a1c184961e8b918ea4701d9da63f

SHA1
931764f7078dd82e2861d19dc27bec8a40146c66

SHA256
961ca8ada6072eba744280f5a7bd668c8a877bffb36ff56b50285d3b6519b454

SHA512
799d378e69c122a5faa50d886996cc8492845a182acd4c3a48011e6ef4a2e68543f0ad09ec87679d4348e4f0ccbceb9f95072808934f21df41fb5d915748b4cb

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
96KB

MD5
af548aae6e36ba05690d5acc706082c6

SHA1
1b1a781286695c2417cf7fa912ec872f201d48ac

SHA256
465d7fd1948b53b22574732352d9a83e5e736442e58b9a1025b2a17d372890fe

SHA512
84ca5d052f2d3dcc6efad28e20c3e1cf3f68ac7ff1e75f6ed8c1deaef22e394fb856d7afc174bce297a4ff201bf522f689c725bdca44b66d8c5579a2217c45e1

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
96KB

MD5
4489fd4416a49c3c4dc27eddc63043a2

SHA1
fed95a06847ec4aa7fb7c0509f92567f26997d64

SHA256
bfcf5ab91f45095628b8341f86276b7e40e1d85b4019416b165beba7682e04d5

SHA512
0e07fbc89b042f8260e7a0b24fbb31864890a809edaffdc43bef6b15fd3c2bb9596aa70529b5ac6b43e0f4ff44d0cc86167c5fcdf75a1539e6edf566d218bcbc

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
96KB

MD5
db89612be908f10ad4b3dbb6b0cca38b

SHA1
be05fa80d85ddd6c47e588848c6534dc7fd7379b

SHA256
21260ef2fe94534b7a95dc831ffacc96bf04fd6a1cea54870d8fcb5f4f1ae09c

SHA512
57536251a9147145f10a8a87c6071f8ee9235794a8e7d4907326979b019759673c9ab999b429745848977cf5237e07bcfd3a5595395ea6daa46b084e24417ea0

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
96KB

MD5
7939c657c73ef31cd5f778613f976ccd

SHA1
e11c036932e123988d53a4441443bb563f6957a3

SHA256
91d2f8ddbfb6fd32919db12b754374cb5f0f996f781ec9bd7b24e2faa1b370be

SHA512
4b138d03ef5a47603dcf81ce77dd4c49db40b53768dd352be45dd5a59a145230e266d6323f029167731ec7ece8a6e1e554c4d7857948dfe3644454fa2205186b

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
0b7b7480e7fba1e7100edc4283875bdf

SHA1
9b9917aecfb67620c6d5466e1a5cfffb2aca6ff9

SHA256
78cef6e6f3dbeb8c7d63a4a80a6730cdbbbfafb5d620fb0a155e4786af5a7d97

SHA512
f7415373520bf9b19cf6dee0c8f21a325664a22b8b815d65897895dc6a37664043c47820ed74002f6894ea7df3ef6d2bd8699adfff034df0dffbf07ee0313c9b

Download Submit
C:\Windows\SysWOW64\Pebpkk32.exe

Filesize
96KB

MD5
4daaf2dcf1e129ada48088312f624ada

SHA1
0c15ba281ed3aa2550c6fff5cdd0e63d5eb1c526

SHA256
c2a72a7ae97cac4367a341033de862514df4edacf46afdbffaba2788b7c5742b

SHA512
51e274ead0c7f2b742a1ddf8ccf2895afe2c797a5a512e9da4491951d8366e687effe37b169a4cfe97329e5aaa661d20c23983d593fdbb37da0ff4f1c692d12c

Download Submit
C:\Windows\SysWOW64\Pgcmbcih.exe

Filesize
96KB

MD5
fd96104bc632baef8df29499d7aa0de0

SHA1
e5dbd57306a4d56976b8f89e1d87d4eb25e70928

SHA256
b8b62faed9217789f87d11bcf00b97df4de7be0f34d85b5e2778551a91cb54a0

SHA512
a5e59983adda042505f54e879b2364070c76c6fd3799677198ee22e1afd40fe4c09045c8704812812f2fb1b7e7913f431890d3f72690e859770ee523b2491d1f

Download Submit
C:\Windows\SysWOW64\Pghfnc32.exe

Filesize
96KB

MD5
e7c45a4fe50deebd827f9d6e8f507eae

SHA1
d0fd6ba1b187f79ec2f72ed8445e3e50ceecb9cb

SHA256
0991eec4bb2509fba70f951a3aecb7fa994a4f112f14281751a77a2e841be837

SHA512
a8a1c0e5e7d961e94611a8681be007b3dda06b51aa613d0e6569dc574940767b01ca5376fc40fe8fb401d1793dd9580f33cb20f5049650c83f2d4fe061092675

Download Submit
C:\Windows\SysWOW64\Qcogbdkg.exe

Filesize
96KB

MD5
b9c66084a1100fa5da4490a9135474de

SHA1
4ef293a2e1eca5ee575f930265b6a9dd4a98d151

SHA256
cb59ef81f879266bb46bcc5594a105ae6996ab3f9b1cca57204197e235947fc6

SHA512
6f9d9b88b70621cca7ec9f8e7f48e2ebfb200e07744f493e5d5f93ce24919f67ef57aa00d1c3b03e2269571556ced5a8095a3950e59b0e4d442e24a60e589eda

Download Submit
C:\Windows\SysWOW64\Qdncmgbj.exe

Filesize
96KB

MD5
9bab003bf32e399da788e5aca0ff5209

SHA1
6649d45fcda933fe1f036320e84f9162f0ae3999

SHA256
0882c3b8d843b5824af6f29c4efedeb2360f476ac4225b5c5bea7c440153faf1

SHA512
d6369f8a44113e1e02c9e05c948433707ad8f4b817390c90e8c3f28f4ec855fdbfbd8e89069c6013830299118cd5a2bc914a410619249121813b4a59c298f5da

Download Submit
C:\Windows\SysWOW64\Qnghel32.exe

Filesize
96KB

MD5
9f9e636687a04ee721ac5cfa8a2a8f4b

SHA1
620a61ac6dceb37f719b80d76dc86b0b1ddfb367

SHA256
e797b2a37ce12d40677a7b2e12644aec392074d1b742ae8a3c4f09fd935e7e11

SHA512
339022c7fa32db9b2f5a783a83e7c0ad3201bc7de61f3ac186e82b74824b1e82ff49e3ff3cc22f20b1d02cf952bdc627d3426d41d3d7bb260e909af44d9fdf5a

Download Submit
\Windows\SysWOW64\Accqnc32.exe

Filesize
96KB

MD5
88cc580d4dfaf944d099b31135d5bdf4

SHA1
3822a9f89a5d5fbb436999b4e66233f54f012f40

SHA256
1eb2d414d6892a0a70f37e926d27da875a9c183d2762bd93f8c3ae4210425f9f

SHA512
1f19a9780298a2eb206a0fd1c6ec6a4f8bb89dbad4a502dd909684a44da6685d89f699289575d0db7ef95caaaeaba9b89d17b46fdcf840b056ea95534bccc52d

Download Submit
\Windows\SysWOW64\Ajmijmnn.exe

Filesize
96KB

MD5
84b4c358b6e74ffef757df377b610276

SHA1
f55a39cf5031cbe358f64bc9ddcaf4e580f59c20

SHA256
6e89a5e382fcc3ad9891f9b5974a725d694be616981540b7f945f6a3927d36ec

SHA512
b24ec06d1cec9c54481a0cd56acc9906cbb2adacbd59ff91e687821902e7ac440696918ab34e489fc13826bee7ee212a88c5170ef28972ecbb2a16b27a310f63

Download Submit
\Windows\SysWOW64\Aojabdlf.exe

Filesize
96KB

MD5
7f608410c2ed640364167e4ddb45243e

SHA1
2a097de50d1837cec5a690cac33e3014faafe388

SHA256
37e3e437b94652cbbb43f477d0c12a2c2de51dcd12b4ef37f53d13d7bd85ac6c

SHA512
a52851e5a86f2ea249a1b140831330a0b24e971dc0b23dbf55a45429c2e38399fab9f9393a46d19e5cc1258e2a2ab762758d09e22d17181158b2012d118e845b

Download Submit
\Windows\SysWOW64\Phcilf32.exe

Filesize
96KB

MD5
5eca3111dcfca1e09cf6ae1db2837986

SHA1
f659ad85da1148d4eb8d903d3a2ddf01b35f7a77

SHA256
998ab72430d56339a0f67a9c576ec48e0fab26760b54ae38f140c69765abcf09

SHA512
3b426e3ca89496a9fb2251a1d5e10b83f00b04a18a15cd35a9adb927dfc0157eabd1f20e9675b8394853bae337dd3f2cf5ab27e264b8c355d19e4dcab81513bf

Download Submit
\Windows\SysWOW64\Pidfdofi.exe

Filesize
96KB

MD5
675b634215408334f1391ed0e0347f0f

SHA1
8ec7d6a028e0d7b9a905f542764d8acdb4a3c645

SHA256
907f36bc7cbf643d39d3d1cf10a1db4ba21c2adc57026718d4dfb24355d47c03

SHA512
3e8ad6de3d6b6f26813209704d1cfd6998128d2fa7a77ff53209425bcd1f7809ceefe83d20bc0972af1b29c4458d5cd8664bc06b53b00f813f20bfaf9cfe6485

Download Submit
\Windows\SysWOW64\Pleofj32.exe

Filesize
96KB

MD5
4ece15da6c9ee6bafe0680aaa89cec0c

SHA1
5adf58d8bcc8f0aba11e161109a8d533064f4308

SHA256
537638aa31db5f2908936cfd91473eddf6cb5c5f15da8a687d73b26fecc11b16

SHA512
8bb2aeabef515277803897310d00a1a541b5d7cc84d59516bc87d7ef1505f41364f874568be5aed9f3a30aff8bf18f075e821c3a132efa685a587621b3d57c36

Download Submit
\Windows\SysWOW64\Ppnnai32.exe

Filesize
96KB

MD5
bac663729a35742203552cd679f3521d

SHA1
d8bbd75690f52c68903cbcd2a93e53688725ce77

SHA256
01412eb295c38d72c488621ac47a1c11c8834071d8615ba3c052066287f3d91e

SHA512
64a9e40517b86fd45fcd0ff72822fe8d2b5ff2ffbf682844781ffdddb364f1410a5bb6f8795a4d7f9165c80a6e0c16557d2867b0e520a5696bbd7425bf9e9382

Download Submit
\Windows\SysWOW64\Qeppdo32.exe

Filesize
96KB

MD5
785a8f656c25c7ca4ce3ca51ce161c60

SHA1
d2def9222c4f4a5b1f616e8bfe1d906d4ba406d6

SHA256
3106b5ec178693175d72c494d17395a314973421171c2b7a04e4fe3bcce8710d

SHA512
903d246b319d0df6ea114067b83f7654e928cde0935926639f0396150455e92ccd9c3b57d373f0417c377233d92903629c5686f6910795136740a253133e40d0

Download Submit
\Windows\SysWOW64\Qiioon32.exe

Filesize
96KB

MD5
95c03d1bc0fd74ef0c821cf891b3c49f

SHA1
b0e9b703f001dc1d8e609f621cfe732b57f6c5c5

SHA256
fc099c2319491426d75cd0c3848ae0369cadb45557c43304af5738dff552eefb

SHA512
866bcb18587c91cf4aa317517ebc63104cff7b492d57d931f358b7592542dd83170b530f2ee31d1187613ad0163713d3961849073af8f3a1ab4c8bbb67ec8758

Download Submit
memory/376-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-141-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/376-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-500-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/752-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-167-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/752-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/900-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-259-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/960-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-710-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-488-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1132-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-703-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-478-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1156-52-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1156-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-393-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1240-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-709-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-434-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1252-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-193-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1312-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-397-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1408-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-452-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1408-747-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-740-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-291-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1652-290-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1652-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-499-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1724-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-243-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1768-743-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-212-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1816-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-114-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1864-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-706-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-422-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1992-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-301-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2032-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-302-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2052-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-705-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-355-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2200-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-321-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2212-324-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2212-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-221-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2344-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-11-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2344-12-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2368-465-0x0000000001F60000-0x0000000001F93000-memory.dmp

Filesize
204KB

Download
memory/2368-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-466-0x0000000001F60000-0x0000000001F93000-memory.dmp

Filesize
204KB

Download
memory/2424-741-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-277-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2532-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-742-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-441-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2568-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-378-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2620-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-341-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2708-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-345-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2724-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-363-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2744-312-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2744-313-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2744-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-333-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2808-334-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2832-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-62-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2832-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-408-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2868-704-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-424-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3024-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-92-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3060-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-34-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/3060-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-388-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads